The invention is generally related to computers and computer memory management. More specifically, the invention is generally related to virtual address translation in a single-level store computer.
Memory management, i.e., the operations that occur in managing the data stored in a computer, is often a key factor in overall system performance for a computer, particularly in the case of multi-user computers such as servers, midrange computers, mainframe computers, etc., that are accessible by multiple users. Among other tasks, memory management oversees the retrieval and storage of data on a computer, as well as manages certain security tasks for a computer by imposing restrictions on what users and computer programs are permitted to access.
A number of multi-user computers, as well as other computers in general, rely on a memory management technique known as virtual memory management to increase performance and provide greater upgradability of computers and the underlying architectural designs upon which they are premised.
With a virtual memory system, the underlying hardware implementing the memory system of a computer is effectively hidden from the software of the computer. A relatively large virtual memory space, e.g., 64-bits or more in width, is defined for such a computer, with computer programs that execute on the computer accessing the memory system using virtual addresses pointing to locations in the virtual memory space. The physical memory devices in the computer, however, are accessed via xe2x80x9crealxe2x80x9d addresses that map directly into specific memory locations in the physical memory devices. Hardware and/or software in the computer are provided to perform xe2x80x9caddress translationxe2x80x9d to map the real memory addresses of the physical memory to virtual addresses in the virtual memory space. As such, whenever a computer program on a computer attempts to access memory using a virtual address, the computer automatically translates the virtual address into a corresponding real address so that the access can be made to the appropriate location in the appropriate physical device mapped to the virtual address.
One feature of virtual addressing it that is not necessary for a computer to include storage for the entire virtual memory space in the physical memory devices in the computer""s main memory. Instead, lower levels of storage, such as disk drives and other mass storage devices, may be used as supplemental storage, with memory addresses grouped into xe2x80x9cpagesxe2x80x9d (e.g., with each page representing 4096 addresses) that are swapped between the main memory and supplemental storage as needed. Another feature of virtual addressing is that security rules may often be enforced to limit the ability for a computer program to obtain data from unauthorized memory addresses.
Further, some computers, such as the AS/400 midrange computer from International Business Machines Corporation, extend the virtual memory concept by utilizing a single-level store memory management system. Unlike other memory management systems that utilize user-accessible file management systems to directly access data stored on disk drives and other mass storage devices, a single-level store memory management system essentially incorporates all potential sources of memory storage (e.g., main storage, disk drives and other mass storage devices) into the same level of memory. An object (e.g., data, program code or both), once created in a single-level store system, is accessed using a single virtual address, regardless of where the object actually resides. Moreover, any user that requests access to the object receives the same virtual address and accesses the copy of the object. Low level memory management functions handle swapping the object into and out of main storage on an as-needed basis to ensure that the object is in main storage while it is currently in use.
Due to the frequency of access requests in a computer, address translation can have a significant impact on overall system performance. As such, it is desirable to minimize the processing overhead associated with the critical timing path within which address translation is performed.
Address translation in a virtual memory system typically incorporates accessing data structures known as address translation tables that include multiple entries that map virtual addresses to real addresses on a page-by-page basis. Often, due to the large number of memory accesses that constantly occur in a computer, the number of entries required to map all of the virtual addresses in use by a computer can be significant, and require the entries to be stored in main storage, rather than in dedicated memory. To accelerate address translation with such a scheme, a form of cache, known as a translation lookaside buffer (TLB), is typically provided in hardware to cache recently-used entries for quick access by the computer. Ensuring that entries not found in the TLB are loaded quickly into the TLB is therefore critical to the performance of a computer.
In many computers such as the AS/400 computer, loading entries from main storage into the TLB is performed by the actual hardware as part of the virtual address translation. In other computers, software may be used to handle the transfer of entries into the TLB. With a software-based translation mechanism, a short sequence of instructions is executed in a special interrupt handler to supply the missing hardware function, which is usually a simple sequence of comparisons of equality between the virtual address of interest and a limited set of table entries. If no match is found, a page fault-style exception is typically generated to indicate that the TLB cannot be immediately reloaded.
Even with a completely hardware-based translation mechanism, some software may be utilized in address translation. In an AS/400 computer, for example, the hardware-accessible address translation table does not describe the entire contents of main storage. A miss on a TLB results in a hardware-based search of the address translation table in main storage. If found, the appropriate entry is reloaded into the TLB from main storage, and instruction execution resumes without an exception. If not found, however, the hardware generates what it considers to be a xe2x80x9cpage fault.xe2x80x9d Exception handling software is then called in response to the page fault to access additional data structures to determine if the page is actually resident in the main storage. If the page is found in main storage, the hardware-accessible address translation table is updated to swap out an existing entry with a new entry for the currently desired page, and execution continues without an actual page fault, where the page must be swapped into main storage. If the page is not in main storage, a conventional page fault is performed.
In a single-level store computer such as the AS/400 computer, address translation is performed machine-wide. As a result, any job, process, task, etc. that presents a given virtual address will access the same address translation entry, and thus have access to the actual storage mapped to that entry.
One potential security concern presented by a virtual memory system is that of malicious or buggy software simply making up an arbitrary string of binary digits, loading it into a register, and trying to use it as a virtual address. In particular, consider a completely hardware-based virtual address translation mechanism but with no specific security checks, done in hardware. In such a case, the default situation is that a virtual address is authorized if it can be loaded into a register.
To address this potential security risk, computers such as the AS/400 computer utilize a number of security mechanisms that are predominantly implemented outside of the critical path of address translation to minimize adverse performance impact. First, computer programs that execute in non-supervisory states are required to use tagged pointers having a special hardware tag bit. The state of the tag bit is kept in the storage hardware and is not directly visible to programs, and ordinary stores to a given location automatically turn off the special bit. If such programs try to make up a pointer by overlaying a place where a tagged pointer was previously built, the special tag will be off and the usage will fail.
Second, trusted program translation is performed for all new computer programs prior to their being installed via a supervisor-defined software machine interface (MI). In particular, the programs are defined using MI instructions that are not capable of being directly executed on the computer, and when the programs are installed, a translator executing in a supervisor mode translates the program instructions into the actual machine instructions appropriate for execution by the computer. Since the translator is part of the supervisor of the operating system, the translator is assumed to generate instructions that correctly manipulate the special tagged pointers. The hardware-based tag mechanism also can reinforce this protection by allowing the trusted code generation to detect if a tagged region of storage was tampered with deliberately or by accident.
Third, much of the data accessible by non-supervisory programs is encapsulated in the form of xe2x80x9cMI objectsxe2x80x9d that incorporate special pointer-controlled authorization. Each MI object has a public authority as well as additional authorities granted to individual users and classes of users. The MI Instruction set contains manipulations for these various MI Objects. The MI Instructions associated with the various MI Objects request that any existing special tagged pointers interact with this authority mechanism before creating any new special pointers. Some or all of this interaction requires the trusted translation in order to ensure that the security mechanisms cannot be bypassed. In addition, only a subset of the possible types of MI objects are capable of being directly accessed by non-supervisory programs. Special pointers are divided into various classes that the MI Instructions and the trusted translator can distinguish as needed, to permit only certain pointers to actually load or store storage within particular types of MI objects.
Fourth, higher level security mechanisms are utilized to limit the types of activities that can be performed by different modes or states, e.g., supervisor states and non-supervisory states such as user and system states. Operations performed within non-supervisory states are typically subjected to greater scrutiny than operations performed within a supervisor state, and transitions in a program from a non-supervisory state to a supervisor state are also closely scrutinized.
Restricting non-supervisory accesses to memory to using only tagged pointers, however, can be limiting in some applications. For example, it may be desirable to emulate the functionality of a xe2x80x9cprocess local storagexe2x80x9d model such as the UNIX operating system where local data can be requested by and allocated to a particular user for use solely by that user, and with authentication performed during the allocation process to meet security requirements. In such environments, it may be permissible for a non-supervisory program for that user to access the allocated data using untagged pointers, which offer lesser processing overhead and greater conformance to industry programming models, such as treating some particular storage location as both a pointer to a control block or a simple integer. It also permits a greater variety of applications, some of which have integral code generation of their own as part of their design and are technically unwilling or unable to have a supervisor-based routine generate the code.
However, given that both hardware-based and software-based address translation in a single-level store computer rely on a system-wide address translation table, the address space mapped via the address translation table spans the entire virtual address space. As such, without additional security checks performed during the address translation, there would still be the potential for a non-supervisory program executing in a process local storage model to generate an untagged pointer that attempted to access data outside of the allocated local storage. As a consequence, implementing untagged pointers on single-level store computers that use conventional address translation mechanisms would introduce unacceptable security risks, or in the alternative, would lower performance due to the requirement to perform additional security checking to address such risks within the critical timing path during which address translation is performed.
The invention addresses these and other problems associated with the prior art by providing an apparatus, program product, and method in which address translation is performed process-local, rather than system-wide, in a single-level store virtual memory management system using a plurality of process-local address translation data structures that are individually associated with particular software processes executing on a computer. By performing address translation on a process-by-process basis, many of the security concerns associated with system-wide address translation, e.g., attempting to access a virtual address for memory that has not been allocated for the associated process, are significantly reduced from the standpoint of accessing an address translation data structure, since it can be presumed that all of the information in a process-local address translation data structure was previously authorized for the process when added to the data structure. Relatively simpler and faster security checks can then be performed in association with accessing a process-local address translation data structure to minimize the processing delays associated with such accesses. In addition, with such a configuration, any additional security issues can be handled in additional fault handling processing that is executed less frequently than accesses to address translation data structures, such that such additional security processing has a reduced impact on system performance.
These and other advantages and features, which characterize the invention, are set forth in the claims annexed hereto and forming a further part hereof. However, for a better understanding of the invention, and of the advantages and objectives attained through its use, reference should be made to the Drawings, and to the accompanying descriptive matter, in which there is described exemplary embodiments of the invention.